Noninterference with Dynamic Security Domains and Policies.

and the effective security policy. ... Language-based information flow analysis is used to statically examine a program for information flows between objects of different security domains, and to verify these flows follow a given policy. ... With a single proof, programs can be shown secure for any object domains and security policies. ...

doi:10.1007/978-3-642-10622-4_5 fatcat:jvponhn275hqnhl6m5lbzol6ym

Based on computation and network technology, Cyber-Physical Systems (CPS) has achieved rapid growth but it is faced with increasingly serious security problems and needs targeted security protection technologies ... Considering the characteristics of the typical architecture of CPS, this paper integrates the analytical method of information flow based on the noninterference theory and proposes the security protection ... and 3132014093. ...

doi:10.14257/ijsia.2015.9.2.15 fatcat:4laprffadrd4bjiwlovsfh6f2a

Our new policies subsume the policies of both transitive and intransitive noninterference, and support dynamic requirements such as upgrading and downgrading. ... In the literature this notion has been well studied as transitive noninterference and intransitive noninterference. ... For example, one may define a policy ⊆ {A, B, C} × {A, B, C} for a system with three security domains, such that domain A is allowed to send information to domain B by A B (i.e., (A, B) ∈ ), and that domain ...

arXiv:1003.3893v1 fatcat:ayujtzhkmzdhpfqfya2vc4bmm4

These policies are connected to a semantic security condition that generalizes noninterference, and the type system is shown to enforce this security condition. ... This paper presents security policies for downgrading and a security type system that incorporates them, allowing secure downgrading of information through an explicit declassification operation. ... Acknowledgments Thanks to Andrei Sabelfeld and Steve Zdancewic for suggestions about declassification policies, and Michael Clarkson, Nate Nystrom, Riccardo Pucella, Lantian Zheng, and the anonymous reviewers ...

doi:10.1145/1030083.1030110 dblp:conf/ccs/ChongM04 fatcat:xtnq3aqow5azfcdpz2bx25sizm

Stenzel, Katkalov, Borek and Reif Figure 5: Original security policy (on the left) and new policy with an additional domain for implicit declassification (on the right). ... Together with the properties and a security policy (Fig. 5) a formal specification can be generated as well. ...

doi:10.22667/jowua.2014.09.31.030 dblp:journals/jowua/StenzelKBR14 fatcat:ur26bt4terd3znbfmcj56fqp2m

The paper studies dynamic information flow security policies in an automaton-based model. ... Two semantic interpretations of such policies are developed, both of which generalize the notion of TA-security [van der Meyden ESORICS 2007] for static intransitive noninterference policies. ... Then for any dynamic security policy with M ≤ , the system M is both ta ♦ -secure and ta -secure with respect to . Proof: Immediate from Theorem 6.1 using Proposition 2 and Proposition 3. ...

arXiv:1601.05187v1 fatcat:bs65shhnwbag3ekwajxcbbzle4

While the security community has recognised the importance of the problem, the state-of-the-art in information release is, unfortunately, a number of approaches with somewhat unconnected semantic goals ... A principal security concern for systems permitting information release is whether this release is safe: is it possible that the attacker compromises the information release mechanism and extracts more ... Myers and Pablo Giambiagi for fruitful discussions. ...

doi:10.3233/jcs-2009-0352 fatcat:c6ngeq6bbrgnvfdc6r3jjqz77a

the information released by the policy and (b) Check whether program execution may release more information than what is permitted by the policy by completing the finite abstract domain wrt. weakest liberal ... Subsequently the policy can be refined so that the least amount of confidential information necessary for making the program secure is declassified. ... These restrictions can be modeled as abstract domains, and therefore by means of abstract noninterference policies. ...

doi:10.1016/j.entcs.2007.02.027 fatcat:ujlp7mzl25g5fb5naqb2y4dmlu

Open Access

In order to specify and enforce expressive and fine-grained policies, we advocate dynamically associating security labels with sensitive entities. ... We describe work in progress that uses program analysis to show that security-critical programs, such as cross-domain guards, correctly enforce crossdomain security policies. ... We have formalized the use of roles as security labels in an SOPL that supports dynamic policy updates [6] . ...

doi:10.1109/milcom.2007.4455189 fatcat:7kfgqxjdkrhvxl3xmgugldhk4i

Noninterference can be enforced statically using information flow type systems; however, these are criticized for being overly conservative and rejecting secure programs. ... In this work we propose a novel, alternative approach: utilizing symbolic execution in combination with ideas from program logics in an attempt to increase the precision of analyses and automate noninterference ... We would like to thank Dries Vanoverberghe for very insightful and valuable comments on a late draft of the paper and Tatyana Doktorova for many helpful suggestions on the presentation. ...

doi:10.1007/978-3-642-30793-5_10 fatcat:7i2esiblpff25hkarstnluckli

Our approach can be used for all systems/protocols with three domains or levels, which is sufficient for most noninterference problems for cryptographic protocols and systems. ... INI property is widely used in formal verification of security problems in computer systems and protocols. ... of security policies. ...

doi:10.1109/tac.2005.850643 fatcat:vvdvxqhbmbbn3dhwcfcfzi3p4q

With the present paper we provide the first such result, by presenting a mechanized proof of noninterference assessing the robustness of the HttpOnly and Secure cookie flags against both web and network ... To counter these attacks, modern web browsers implement native cookie protection mechanisms based on the HttpOnly and Secure flags. ... Cookies, in turn, are ranged over by c and defined as records with six fields: a name, a value, a domain, a path, and two boolean flags secure and httponly. ...

doi:10.3233/jcs-150529 fatcat:oh3myqbcnrfhdhz2k4tevmlwg4

This paper presents the first effort to formally specify and verify separation kernels with ARINC 653 channel-based communication. ... We provide a reusable formal specification and security proofs for separation kernels in Isabelle/HOL. ... Basic Components According to Fig. 1 , basic components include security domains, security policies and communication components. ...

arXiv:1510.05091v1 fatcat:dafdhql3rrc7rhxmmjj4gpxtrq

Sapper addresses this problem by enabling flexible and efficient hardware design that is provably secure with respect to a given information flow policy. ... Sapper uses a hybrid approach that leverages unique language features and static analysis to determine a set of dynamic checks that are automatically inserted into the hardware design. ... The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the ...

doi:10.1145/2465106.2465214 dblp:conf/pldi/0001KOTRKSHC13 fatcat:v5mwy4pquzdj5bjo5564tir4yi

We present a framework for opacity and explore its key differences and formal connections with such well-known information-flow models as noninterference, knowledge-based security, and declassification ... This paper puts a spotlight on the specification and enforcement of opacity, a security policy for protecting sensitive properties of system behavior. ... Acknowledgments: This work was funded by the European Community under the ProSecuToR and WebSand projects and the Swedish research agencies SSF and VR. ...

doi:10.1109/csf.2015.41 dblp:conf/csfw/SchoepeS15 fatcat:orel3lewbbg5zkb6kwpogib7b4

Noninterference with Dynamic Security Domains and Policies [chapter]

Preserved Fulltext

Security Protection Technology of Cyber-Physical Systems

Preserved Fulltext

Unwinding Conditional Noninterference [article]

Preserved Fulltext

Security policies for downgrading

Preserved Fulltext

A Model-Driven Approach to Noninterference

Preserved Fulltext

Dynamic Intransitive Noninterference Revisited [article]

Preserved Fulltext

Declassification: Dimensions and principles

Preserved Fulltext

What You Lose is What You Leak: Information Leakage in Declassification Policies

Preserved Fulltext

Verified Enforcement of Security Policies for Cross-Domain Information Flows

Preserved Fulltext

Noninterference via Symbolic Execution [chapter]

Preserved Fulltext

Characterizing intransitive noninterference for 3-domain security policies with observability

Preserved Fulltext

CookiExt: Patching the browser against session hijacking attacks

Preserved Fulltext

Reasoning About Information Flow Security of Separation Kernels with Channel-based Communication [article]

Preserved Fulltext

Position paper

Preserved Fulltext

Understanding and Enforcing Opacity

Preserved Fulltext